top of page
  • Writer's pictureCCS

How to Perform a Risk-Based Audit

Updated: Jan 3, 2023

A risk-based audit has three key steps, as illustrated below.

Risk Assessment

Description: Performing risk assessment procedures to identify and assess the risks of material misstatement in the financial statements.


This includes the assessment of significant risks, control deficiencies and identified or suspected non-compliance with laws and regulations that will be addressed in the audit and communicated to Those charged with governance (TCWG).


The auditor would also select Key Audit Matters (KAM) for inclusion in the auditor’s report for listed entities and for all audits where ISA 701, related to key audit matters, is to be applied as required by local law, regulation or voluntarily.


Risk Response

Description: Designing and performing further audit procedures that respond to identified and assessed risks of material misstatement, at both the financial statement and assertion levels.


Reporting

Description: This involves:

  • Forming an opinion based on the audit evidence obtained and the evaluation of the financial statement presentation and disclosures; and

  • Preparing and issuing a report that is appropriate to the conclusions reached.

基于风险的审计有三个关键步骤,如下所示:


风险评估

描述:执行风险评估程序以识别和评估财务报表中的重大错报风险。


这包括评估重大风险、控制缺陷和已发现或怀疑的不符合法律和法规的情况,这些问题将在审计中得到解决并传达给负责管理的人。


审计师还将选择关键审计事项 [Key Audit Matters (KAM)] 纳入上市实体的审计报告,以及根据当地法律、法规的要求或自愿采用与关键审计事项相关的 ISA 701 的所有审计。


风险应对

描述:设计和执行进一步的审计程序,以应对在财务报表和断言层面上已确定和评估的重大错报风险。


报告

描述:这包括:-

  • 根据所获得的审计证据以及对财务报表列报和披露的评价形成意见;以及

  • 编制并发布一份与所得出的结论相适应的报告。

A simple way of describing the three elements is illustrated below.


下面是描述这三个要素的一个简单方法。

* an “event” is simply a business or fraud risk factor. This would also include risks resulting from the absence of internal control to mitigate the potential for material misstatements in the financial statements.


* 一个 "事件 "只是一个商业或欺诈风险因素。这也包括因缺乏内部控制以减少财务报表中重大错报的可能性而导致的风险。


The various tasks involved in each of these three phases are outlined below.


这三个阶段中每个阶段所涉及的各种任务概述如下。

Risk Assessment | 风险评估

  1. Refer to ISA 230 for a more complete list of documentation required.

  2. Planning (ISA 300) is a continual and iterative process throughout the audit.

  3. RMM = Risks of material misstatement.


  1. 关于所需文件的更完整清单,请参考《国际审计准则》第230条。

  2. 规划(ISA 300)是整个审计过程中一个持续的、反复的过程。

  3. RMM = 重大错报的风险。


An effective risk assessment phase would include the following.

Up-Front Involvement of Senior Team Members

The engagement partner and other key members of the engagement team need to be actively involved in planning the audit, and in planning and participating in the discussion among engagement team members.


This will ensure the audit plan takes advantage of their experience and insight.


Note that ISAs usually refer to the term “auditor” as the person(s) performing the engagement.


Where an ISA intends a requirement or responsibility be fulfilled by the engagement partner, the term “engagement partner” rather than “auditor” is used.


An Emphasis on “Professional Skepticism”

The auditor cannot be expected to disregard past experience of the honesty and integrity of the entity’s management and those charged with governance.


Nevertheless, a belief that management and those charged with governance are honest and have integrity does not relieve the auditor of the need to maintain professional skepticism, or allow the auditor to be satisfied with less-than-persuasive audit evidence when obtaining reasonable assurance.


Planning

The time spent in audit planning (developing the overall audit strategy and audit plan) will ensure that audit objectives are properly met, and that the work of audit staff is always focused on gathering evidence on the most critical areas of potential misstatement.


Team Discussions and Ongoing Communication

A team planning discussion/meeting with the engagement partner present provides an excellent forum for:

  • Informing staff about the client in general and discussing potential risk areas;

  • Discussing the effectiveness of the overall audit strategy and the audit plan and then making changes as necessary;

  • Brainstorming how fraud could occur and then designing an appropriate response;

  • Discussing disclosures where there are higher risks of material misstatement; and

  • Allocating audit responsibilities and setting time frames.

Ongoing communication among the audit team throughout the engagement is also important, for example discussing and addressing audit issues, unusual activities or possible indicators of fraud.


This will enable timely communications to management and, where necessary, changes to the audit strategy and audit procedures.

Focus on Risk Identification

The most important step in a risk assessment process is to identify all the relevant risks.


If business and fraud risk factors are not identified by the auditor, they will not be assessed or documented, and an appropriate audit response will not be designed.


This is why well-designed risk assessment procedures are so important to the effectiveness of the audit.


These risk assessment procedures also need to be performed by the appropriate level of staff.


Financial Statement Disclosures

In assessing risks, disclosures in the financial statements are also taken into account.


Disclosures in the financial statements of SMEs may be less detailed or less complex (for example, some financial reporting frameworks allow smaller entities to provide fewer disclosures in their financial statements).


However this does not relieve the auditor of the responsibility to obtain an understanding of disclosures and assess the risks of material misstatement in disclosures that are required.


Ability to Evaluate Management’s Response(s) to Risk

A key step in the risk assessment process is to evaluate the effectiveness of management’s responses (that is, management’s control design/implementation), if any, to mitigate the identified risks of material misstatement in the financial statements.


In smaller entities, more reliance will likely be placed on the control environment (such as the competence and integrity of managements, etc.) and less on the traditional control activities (such as segregation of duties, etc.).


Use of Professional Judgment

The ISA audit requirements require the use and then documentation of significant judgments made by the auditor throughout the audit.

Typical examples of tasks throughout the risk assessment process include:

  • Deciding to accept or continue with the client;

  • Developing the overall audit strategy;

  • Establishing materiality;

  • Assessing risks of material misstatement, including the identification of significant risks and other areas where special audit consideration may be necessary; and

  • Developing expectations for use when performing analytical procedures.


一个有效的风险评估阶段将包括以下内容:

高级团队成员的前期参与

参与合伙人和参与团队的其他主要成员需要积极参与审计计划,并计划和参与参与团队成员之间的讨论。


这将确保审计计划能够利用他们的经验和洞察力。


请注意,《国际审计准则》中的 "审计师 "通常指的是执行审计工作的人。


如果《国际审计准则》打算由参与伙伴履行一项要求或责任,则使用 "项目合伙人" (“engagement partner”) 而不是 "审计师 "一词。


强调 "专业怀疑精神"

不能指望审计师无视实体的管理层和负责管理的人过去的诚实和正直的经验。


然而,相信管理层和负责管理的人是诚实和正直的,并不能免除审计师保持专业怀疑态度的需要,或允许审计师在获得合理保证时满足于不太有说服力的审计证据。


规划

花在审计规划(制定整体审计策略和审计计划)上的时间将确保审计目标得到适当满足,并确保审计人员的工作始终集中在收集潜在错报的最关键领域的证据上。

团队讨论和持续沟通

有业务伙伴在场的团队计划讨论/会议提供了一个很好的论坛。

  • 让员工了解客户的总体情况并讨论潜在的风险领域。

  • 讨论整体审计策略和审计计划的有效性,然后根据需要进行修改。

  • 集思广益,探讨欺诈如何发生,然后设计适当的应对措施。

  • 讨论存在较高重大错报风险的披露事项;以及

  • 分配审计责任并设定时间框架。

在整个工作过程中,审计团队之间的持续沟通也很重要,例如,讨论和解决审计问题、异常活动或可能的欺诈迹象。


这将有助于及时与管理层沟通,并在必要时改变审计策略和审计程序。

专注于风险识别

风险评估过程中最重要的一步是识别所有相关风险。


如果审计师没有识别出业务和欺诈风险因素,就不会对其进行评估或记录,也就不会设计出适当的审计对策。


这就是为什么精心设计的风险评估程序对审计的有效性如此重要。


这些风险评估程序也需要由适当级别的工作人员执行。


财务报表的披露

在评估风险时,也要考虑到财务报表中的披露情况。


中小企业的财务报表中的披露可能不那么详细或不那么复杂(例如,一些财务报告框架允许较小的实体在其财务报表中提供较少的披露)。


然而,这并不免除审计师对披露内容的理解和评估所需披露内容的重大误报风险的责任。


评估管理层对风险的反应的能力

风险评估过程中的一个关键步骤是评价管理层的反应(即管理层的控制设计/实施)的有效性,如果有的话,以减轻财务报表中已识别的重大错报风险。


在较小的实体中,可能会更依赖控制环境(如管理层的能力和诚信等),而较少依赖传统的控制活动(如职责分离等)

专业判断的使用

国际审计师协会的审计要求要求审计师在整个审计过程中使用并记录重要的判断。


在整个风险评估过程中,典型的任务例子包括:-

  • 决定是否接受或继续与客户合作。

  • 制定整体的审计策略。

  • 确定重要性。

  • 评估重大错报的风险,包括识别重大风险和其他可能需要特别审计考虑的领域;以及

  • 制定预期,以便在执行分析程序时使用。

Risk Response | 风险应对

Notes:

  1. Refer to ISA 230 for a more complete list of documentation required.

  2. Planning (ISA 300) is a continual and iterative process throughout the audit.

  3. RMM = Risks of material misstatement.


  1. 关于所需文件的更完整清单,请参考《国际审计准则》第230条。

  2. 规划(ISA 300)是整个审计过程中一个持续的、反复的过程。

  3. RMM = 重大错报的风险。

In this phase, the auditor considers the reasons (inherent and control risks) for the risk assessments at the financial statement level and at the assertion level (for each class of transactions, event, account balance, and disclosure), and develops responsive audit procedures.

The auditor’s response to the assessed risks of material misstatement is documented in an audit plan that:

  • Contains an overall response to the risks identified at the financial statement level;

  • Identifies the material financial statement areas and significant disclosures; and

  • Contains the nature, extent, and timing of specific audit procedures tailored to respond to the assessed risks of material misstatement at the assertion level.

The overall responses address assessed risks of material misstatement at the financial statement level.


Such responses would include the assignment and supervision of appropriate personnel, need for professional skepticism, the extent of corroboration required for management’s explanations/representations, consideration of the type of audit procedures to be performed, and what documentation would be examined in support of material transactions.


Further audit procedures generally consist of substantive procedures such as tests of details, analytical procedures, and tests of controls (where there is an expectation that such controls have been operating effectively during the period).


在此阶段,审计师考虑在财务报表层面和认定层面(针对每一类交易、事件、账户余额和披露)进行风险评估的原因(内在和控制风险),并制定响应的审计程序。

审计师对评估的重大错报风险的反应记录在审计计划中,该计划包括

  • 包含对财务报表层面所确定的风险的总体回应。

  • 确定重大财务报表领域和重要披露;以及

  • 包含具体审计程序的性质、范围和时间,以应对评估的认定层面的重大错报风险。

  • 总体应对措施涉及财务报表层面的评估的重大错报风险。


这种反应将包括指派和监督适当的人员,专业怀疑的需要,管理层的解释/陈述所需的确证程度,考虑要执行的审计程序的类型,以及将检查哪些文件以支持重大交易。


进一步的审计程序通常包括实质性程序,如细节测试、分析性程序和控制测试(如果预期这种控制在该期间有效运行)。


Some of the matters the auditor should consider when planning the appropriate mix of audit procedures to respond to identified risks include the following:


审计员在计划适当的审计程序组合以应对已确定的风险时,应考虑的一些事项包括:

Use of tests of controls

  • Identify relevant internal controls that, if tested, would reduce the need/scope for other substantive procedures.

    • As a general rule, the sample size for testing controls is often significantly less than that of a substantive test of a transaction stream.


    • Assuming that the relevant controls operate consistently and control deviations are unlikely, the use of tests of controls can often result in less work being performed.

    • However, there is no requirement that the operating effectiveness of internal controls (direct or indirect) be tested.

  • Identify any assertions that cannot be addressed by substantive procedures alone. For example, this can often apply to completeness of sales in a small entity, and situations where there is highly automated processing of transactions (such as Internet sales) with little or no manual intervention.

对控制的测试的使用

  • 识别相关的内部控制,如果进行测试,将减少其他实质性程序的需要/范围。

    • 作为一般规则,测试控制的样本量往往大大低于对交易流的实质性测试。

    • 假设相关控制措施的运行是一致的,并且控制措施的偏差不太可能发生,使用控制措施的测试往往可以减少执行的工作。

    • 然而,没有要求对内部控制(直接或间接)的运行有效性进行测试。

  • 识别任何不能仅通过实质性程序解决的认定。例如,这往往适用于小型实体的销售完整性,以及交易的高度自动化处理(如互联网销售),很少或没有人工干预的情况。

Substantive Analytical Procedures

These are procedures for which the total amount of a transaction stream can be reliably predicted based on available evidence.


This expectation is compared to the actual amount in the accounting records, and the extent of any misstatement readily identified.


In some cases, if the assessed risk for a particular assertion is low (without considering related controls), the auditor may determine that substantive analytical procedures alone would provide sufficient appropriate audit evidence.


实质性分析程序

这些程序是指根据现有的证据,可以可靠地预测交易流的总金额。


这种预测与会计记录中的实际金额进行比较,并随时确定任何错报的程度。


在某些情况下,如果对某一特定认定的评估风险较低(不考虑相关控制),审计师可以确定仅实质性分析程序就能提供足够的适当审计证据。

Unpredictability

The need to incorporate an element of unpredictability in procedures performed, such as when responding to a risk of material misstatement due to possible fraud.


For example, visits to inventory count locations could be unannounced or certain procedures could be carried out prior to the year-end that are unannounced.


Unpredictability also needs to be considered in how much information is provided to management with regard to planned audit procedures and their timing.


不可预测性

需要在执行的程序中加入不可预测的因素,例如,在应对可能的欺诈导致的重大错报风险时。


例如,对存货清点地点的访问可以不事先通知,或者在年终前进行某些程序,但不事先通知。


在向管理层提供多少有关计划中的审计程序及其时间的信息时,也需要考虑到不可预测性。

Management override

The need for specific audit procedures to address the potential for management override.


Significant risks

The audit response to “significant risks” that have been identified.


管理部门的控制权

需要制定具体的审计程序,以解决管理层凌驾的可能性。


重大风险

对已确定的 "重大风险 "的审计反应。


Reporting | 报告

Notes:

  1. Refer to ISA 230 for a more complete list of documentation required.

  2. Planning (ISA 300) is a continual and iterative process throughout the audit.


  1. 关于所需文件的更完整清单,请参考《国际审计准则》第230条。

  2. 规划(ISA 300)是整个审计过程中一个持续的、反复的过程。

The final phase of the audit is to assess the audit evidence obtained and determine whether it is sufficient and appropriate to reduce audit risk to an acceptably low level.


It is important during this phase of the audit to determine:

  • Any change in the assessed level of risk;

  • Whether conclusions drawn from the work performed are appropriate;

  • If any suspicious circumstances have been encountered; and

  • That additional risks (not previously identified) have been appropriately assessed and further audit procedures performed as required.

A team debriefing meeting (towards or at the end of the fieldwork) is not a specific requirement of the ISAs, but can be useful for staff to discuss the audit findings, identify any indications of fraud, and determine the need (if any) to perform any further audit procedures.


When all procedures have been performed and conclusions reached:

  • Audit findings should be reported to management and those charged with governance; and

  • An audit opinion should be formed and a decision made on the appropriate wording for the auditor’s report.

审计的最后阶段是评估所获得的审计证据,并确定其是否充分和适当,以将审计风险降低到可接受的低水平。

在这一阶段的审计工作中,重要的是要确定:


  • 评估的风险水平的任何变化。

  • 从所进行的工作中得出的结论是否适当。

  • 是否遇到了任何可疑的情况;以及

  • 额外的风险(以前没有确定)已经得到适当的评估,并根据需要执行进一步的审计程序。

团队汇报会议(在实地工作即将结束时或结束时)并不是《国际审计准则》的具体要求,但对于工作人员讨论审计结果、识别任何欺诈迹象以及确定是否需要(如果有的话)执行任何进一步的审计程序来说是有用的。


当所有程序都已执行并得出结论时:-

  • 应将审计结果报告给管理层和负责管理的人;以及

  • 应形成审计意见,并就审计报告的适当措辞做出决定。


Our website's articles, templates, and material are solely for you to look over. Although we make every effort to keep the information up to date and accurate, we make no representations or warranties of any kind, either express or implied, regarding the website or the information, articles, templates, or related graphics that are contained on the website in terms of its completeness, accuracy, reliability, suitability, or availability. Therefore, any reliance on such information is strictly at your own risk.

Keep in touch with us so that you can receive timely updates |

要获得即时更新,请与我们保持联系

1. Website ✍️ https://www.ccs-co.com/ 2. Telegram ✍️ http://bit.ly/YourAuditor 3. Facebook ✍


121 views0 comments

Recent Posts

See All
bottom of page